Dear antivirus vendors: Are you aiding and abetting National Security Agency (NSA) spying?
That’s the subject of an open letter, sent in October to leading antivirus vendors, from 25 different privacy information security experts and organizations. The letter asks the vendors to detail whether they’ve ever detected state-sponsored malware or received a government request to whitelist state-sponsored malware, and how they would respond to any such requests in the future.
The letter, sent from Dutch digital rights foundation Bits of Freedom, requested that the firms respond by November 15. “Please let us know if you feel that you cannot, or cannot fully, answer any of the above questions because of legal constraints imposed upon you by any government,” it said.
“Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we’ve been wondering if it’s done anything to antivirus products,” letter signatory Bruce Schneier, chief security technology officer of BT, said in a blog post. “Given that it engages in offensive cyberattacks — and launches cyberweapons like Stuxnet and Flame — it’s reasonable to assume that it’s asked antivirus companies to ignore its malware. We know that antivirus companies have previously done this for corporate malware.”
As of two weeks ago, however, only six security vendors — ESET, F-Secure, Kaspersky Lab, Norman Shark, Panda, and Trend Micro — had responded to the request for information. Even so, the news was good. “All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher,” according to researcher Ton Siedsma at Bits of Freedom. “Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply.”
For the record, whatever antivirus vendors’ attitude toward state-sponsored malware, whether or not they detect it won’t necessarily stop the spread of such malware. In part, that’s because for an antivirus firm to spot malware, it first needs to have seen the malware, recognized that it’s malicious code, and written a corresponding virus signature for its products. In addition, intelligence agencies no doubt work overtime — and occasionally make use of zero-day vulnerabilities — to ensure that their malicious code escapes detection. They’re probably quite successful at doing so. For example, leaked documents suggest that by 2012, the NSA had installed malware on more than 50,000 PCs used by US government targets.
Given that level of success, it’s unlikely, argued Schneier, that any intelligence or law enforcement agencies would try to tell domestic antivirus firms what to do. “Antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies,” he said.
But if that’s the case, what’s to account for the silence from McAfee, Microsoft, and Symantec, and the other antivirus firm holdouts?